On 12/02/2014 07:23 PM, Vojtech Szocs wrote: > Hi, > > since 3.5 the oVirt REST API features CSRF protection > mechanism via CSRFProtectionFilter, see [1] for details. > > [1] http://gerrit.ovirt.org/#/c/29681/ > > I'd like to ask what's the motivation behind calling the > CSRF token header "JSESSIONID". I think the header name > should reflect its logical purpose to avoid confusion. >
The motivation is that the CSRF protection filter checks the session identifier, and as we plan to introduce a header for the session in the future there is no need for an additional header. > Could we rename this header to something more appropriate > like "OVIRT-REST-CSRF-TOKEN" or similar? It would better > reflect the purpose of this (CSRF protection) header. > > In future, we can still have another request header with > name "JSESSIONID" for transmitting session ID from client > to server, however this potential new header would have > different purpose (transfer session ID vs. CSRF token). > Each header should have name reflecting its purpose. > > (This is just a suggestion.) > > Thanks, > Vojtech > _______________________________________________ > Devel mailing list > [email protected] > http://lists.ovirt.org/mailman/listinfo/devel > -- Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta 3ºD, 28016 Madrid, Spain Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L. _______________________________________________ Devel mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/devel
